XSS via upload pdf file in usememos/memos

Valid

Reported on

Jan 3rd 2023

Description

Hi there, It's my pleasure to submit a report to you again to maintain the safety of the project.Most users can upload files in the module named 'Resources' .We can upload pdf files.But uploading malicious pdf files will cause xss vulnerability which will cause great harm to users of the website.

You can click the following link to download the malicious pdf file I provided.pdf_file link.You can also search for more dangerous pdf files on the Internet or make it yourself.And for details you can click my video link below to watch.

link

poc https://drive.google.com/file/d/10PjyAKOgWNGd77J_vtuK_invJ-6hpUOj/view?usp=share_link

If anyone views this pdf file then it will be attacked.

Reference

You can also refer to the following link to view the vulnerability information related to the pdf file

link_reference

Impact

(1) To steal the administrator account or cookie, the intruder can log in to the background as an administrator. It enables intruders to manipulate background data maliciously, including reading, changing, adding and deleting some information.

(2) Stealing users' personal information or login accounts will pose a huge threat to the user security of the website. For example, pretend to be a user for various operations.

(3) The website hangs horses. First, embed the malicious attack code into the Web application. When the user browses the hanging horse page, the user's computer will be implanted with a Trojan horse.

(4) Send advertisements or spam messages. Attackers can use XSS vulnerabilities to plant advertisements or send spam, seriously affecting

We are processing your report and will contact the usememos/memos team within 24 hours. a year ago
A GitHub Issue asking the maintainers to create a SECURITY.md exists a year ago
Christy__
a year ago

Researcher

hi,@Maintainer,My suggestion is that you can modify the header and related properties of the Web server configuration or force the browser to download PDF files instead of providing online browsing.It is also a good choice to refer to the following link to find the appropriate solution. https://owasp.org/www-pdf-archive/OWASP_IL_The_Universal_XSS_PDF_Vulnerability.pdf

We have contacted a member of the usememos/memos team and are waiting to hear back a year ago
STEVEN validated this vulnerability a year ago
Christy__ has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
STEVEN marked this as fixed in 0.10.0 with commit 46c13a a year ago
STEVEN has been awarded the fix bounty
This vulnerability has been assigned a CVE
STEVEN published this vulnerability a year ago
hunter1337k
6 months ago

Same Method i found 2 Stored XSS via That Upper xss.pdf file i have question do you have pdf for SSRF & RCE?

Christy__
6 months ago

Researcher

hello, @hunter1337k ,I have pdf files that can cause ssrf, I think pdf files about causing RCE can also be generated. By the way, I am very interested in the way you find the vulnerabilities.How did you find these two XSS vulnerabilities We can have a communication.

hunter1337k
6 months ago

Can We Discuss Here Or Private?

Christy__
6 months ago

Researcher

do you have any other email or social account

hunter1337k
6 months ago

What's Your Twitter ID

hunter1337k
6 months ago

TWITTER

Christy__
6 months ago

Researcher

https://twitter.com/Chr15ty3pz

SaFiSec
6 months ago

Can You PopUp (document.domain) i edit pdf but didn't work

aadeshjain51
6 months ago

Do you have an XSS payload that can Pop-Up (document.cookie) or (document.domain). Please share if you have.

ㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤ
5 months ago

i was able to upload the file but the xss doesnt pop up? do you'll have any idea?

to join this conversation